AWS provides secure cloud capabilities, but customers remain responsible for configuring workloads, access, evidence, operations, and organizational controls appropriate to their SOC 2 scope.
Identity and privileged access
Centralize workforce access, enforce MFA, reduce long-lived credentials, review privilege, control break-glass access, and preserve evidence of approvals and reviews.
Logging, detection, and evidence
Enable appropriate CloudTrail, Config, security findings, retention, alerting, and review processes. Evidence must show both configuration and operation over time.
Data protection and resilience
Document encryption, key ownership, secrets, backup, restore testing, recovery expectations, data retention, and secure deletion practices.
Change and incident management
Connect infrastructure as code, code review, deployment records, vulnerability management, incident procedures, post-incident learning, and risk acceptance to accountable owners.